Minnesota Governor Signs Comprehensive Privacy Law

Want to receive these privacy recaps that matter to consent management, adtech and martech in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

Minnesota Governor Signs Comprehensive Privacy Law

The Minnesota Consumer Data Privacy Act was signed by the Minnesota Governor as part of an omnibus bill (HF 4757), making Minnesota the 19th state to enact a comprehensive data privacy law. The law will take effect July 31, 2025.

TAKEAWAY

The Minnesota Consumer Data Privacy Act most closely resembles Connecticut’s data privacy law, but it has borrowed certain aspects from other states as well. For example, Minnesota, like Oregon, will give consumers the right to request from controllers a list of specific third parties (as opposed to categories of third parties) to which personal data has been disclosed. The law also adopts several requirements from California and Colorado rules regarding the extension of consent and opt-out rights and privacy notices. In addition to provisions adopted from other states, the Minnesota law also creates some new requirements, including, most notably, requirements to maintain “an inventory of the data” that is processed and a “description of the policies and procedures” that the controller has adopted to comply with the data privacy law. 

Get the up-to-date Sourcepoint overview of US state consent and data privacy laws.

CPPA Seeks Stakeholder Input in Developing Data Broker Regulations

The California Privacy Protection Agency (CPPA) released an invitation for public comment on a number of topics under the Delete Act, a law enacted in October 2023 that, among other requirements, directs the CPPA to set up a central mechanism by January 1, 2026 to enable consumers “through a single verifiable consumer request” to request that all registered brokers delete the consumer’s personal information. The invitation for public comment requests feedback in response to specific questions related to the definition and enablement of “verifiable consumer requests”, ways to submit and receive information in a “privacy protecting way”, ways to provide and verify the status of requests, and considerations with respect to the consumer experience. Public comments can be emailed to databrokers@cppa.ca.gov by June 25, 2024. The CPPA will also hold a stakeholder session June 26. 

TAKEAWAY

The Delete Act gives the CPPA some latitude in developing a deletion mechanism under the law, but it also imposes several required parameters for the consent and data privacy mechanism. Specifically, the mechanism must not allow the disclosure of any additional personal information to data brokers and must allow consumers to selectively exclude brokers from their deletion requests, allow consumers to alter their previous requests (by withdrawing their name from the mechanism), allow brokers to determine whether a request made through the mechanism is verifiable, be free of charge to consumers, allow for requests in any relevant language, be accessible to those with disabilities, support use of authorized agents by consumers, and allow consumers to check the status of their data privacy requests.

Some of these requirements pose challenges that are reflected in the CPPA’s request for comments. For example, how can the mechanism allow brokers to determine whether a request made through the mechanism is verifiable in a manner that can be automated across data brokers and does not allow the disclosure of any additional personal information to data brokers (particularly since the data already in the possession of a data broker or necessary to verify an individual will not be the same across data brokers)? The consumer experience, about which the CPPA is seeking feedback, will also be an important component, for example, to ensure the requirement to allow consumers to selectively exclude data brokers (and understand the meaning of deleting data from some, but not all, data brokers) is meaningful, given the number of data brokers that may be involved. 

Want more of the privacy highlights that matter for consent management, adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.